This chapter describes how to configure Oracle Advanced Security for Oracle9i, or for the Oracle9i server, for use with Kerberos authentication--and how to configure Kerberos to authenticate Oracle database users. This chapter contains the following topics:

After the service table has been extracted, verify that the new entries are in the table in addition to the old ones. If they are not, or you need to add more, use kadmin.local to append the them.

If you do not enter a realm when using ktadd, it uses the realm of the current host and displays it in the command output, as shown above.

If the Kerberos service table is on the same system as the Kerberos client, you can move it. If the service table is on a different system from the Kerberos client, you must transfer the file with a program such as FTP. If using FTP, transfer the file in binary mode.

The following example is UNIX-specific.

# mv /tmp/keytab /etc/v5srvtab

The default name of the service file is /etc/v5srvtab.

Verify that the owner of the Oracle database server executable can read the service table (/etc/v5srvtab in the previous example). To do so, set the file owner to the Oracle user, or make the file readable by the group to which Oracle belongs.

Caution:

Do not make the file readable to all users; this can enable a security breach.

Figure 6-1 Oracle Advanced Security Authentication Window (Kerberos)

Move KERBEROS5 to the Selected Methods list by clicking the right-arrow [>].

Arrange the selected methods in order of use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list. For example, if you want KERBEROS5 to be the first service used, move it to the top of the list.

Step 2: Set the Initialization Parameters

To set parameters in the initialization parameter file:

Add the following parameter to the initialization parameter file:

REMOTE_OS_AUTHENT=FALSE

Attention:

Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach, because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login (formerly called an OPS$ login).

Because Kerberos user names can be long, and Oracle user names are limited to 30 characters, Oracle Corporation strongly recommends that you set the value of OS_AUTHENT_PREFIX to null as follows:

OS_AUTHENT_PREFIX=""

Setting this parameter to null overrides the default value of OPS$.

Step 3: Set sqlnet.ora Parameters (optional)

In addition to the required parameters, you can optionally set the following sqlnet.ora parameters on the client and the Oracle database server:

Parameter:

SQLNET.KERBEROS5_CC_NAME=pathname_to_credentials_cache_file

Description:

Specifies the complete pathname to the Kerberos credentials cache (CC) file. The default value is operating system-dependent. For UNIX, it is /tmp/krb5cc_user id.

You can also set this parameter by using the KRB5CCNAME environment variable, but the value set in the sqlnet.ora file takes precedence over the value set in KRB5CCNAME.

This parameter specifies how many seconds can pass before a Kerberos credential is considered out-of-date. It is used when a credential is actually received by either a client or a database server. An Oracle database server also uses it to decide if a credential needs to be stored to protect against a replay attack. The default is 300 seconds.

Example:

SQLNET.KERBEROS5_CLOCKSKEW=1200

Parameter:

SQLNET.KERBEROS5_CONF=pathname_to_Kerberos_configuration_file

Description:

This parameter specifies the complete pathname to the Kerberos configuration file. The configuration file contains the realm for the default KDC (key distribution center) and maps realms to KDC hosts. The default is operating system-dependent. For UNIX, it is /krb5/krb.conf.

Example:

SQLNET.KERBEROS5_CONF=/krb/krb.conf

Parameter:

SQLNET.KERBEROS5_CONF_MIT=[TRUE|FALSE]

Description:

This parameter specifies whether the new MIT Kerberos configuration format will be used. If the value is set to TRUE, it will parse the file according to the new configuration format rules. When the value is set to False, the default (non-MIT) configuration is used. The default is False.

Example:

SQLNET.KERBEROS5_CONF_MIT=False

Parameter:

SQLNET.KERBEROS5_KEYTAB=pathname_to_Kerberos_principal/key_table

Description:

This parameter specifies the complete pathname to the Kerberos principal/secret key mapping file. It is used by the Oracle database server to extract its key and decrypt the incoming authentication information from the client. The default is operating system-dependent. For UNIX, it is /etc/v5srvtab.

Example:

SQLNET.KERBEROS5_KEYTAB=/etc/v5srvtab

Parameter:

SQLNET.KERBEROS5_REALMS=pathname_to_Kerberos_realm_translation_file

Description:

This parameter specifies the complete pathname to the Kerberos realm translation file. The translation file provides a mapping from a host name or domain name to a realm. The default is operating system-dependent. For UNIX, it is /etc/krb.realms.

Example:

SQLNET.KERBEROS5_REALMS=/krb5/krb.realms

Task 8: Create a Kerberos User

To create Oracle users that Kerberos can authenticate, perform this task on the Kerberos authentication server where the administration tools are installed. The realm must already exist.

Note:

The utility names in this section are executable programs. However, the Kerberos user name krbuser and realm SOMECO.COM are examples only; they can vary among systems.

Run /krb5/admin/kadmin.local as root to create a new Kerberos user, such as krbuser.

Task 9: Create an Externally-authenticated Oracle User

Run SQL*Plus on the Oracle database server to create the Oracle user that corresponds to the Kerberos user. In the following example, OS_AUTHENT_PREFIX is set to null (""). The Oracle user name is in uppercase enclosed in double quotation marks.

Task 10: Get an Initial Ticket for the Kerberos/Oracle User

Before you can connect to the database, you must ask the Key Distribution Center (KDC) for an initial ticket. To do so, run the following on the client:

% okinit user_name

If, when making a database connection, a reference such as the following follows a database link, you must use the forwardable flag (-f ) option:

sqlplus /@oracle

Executing okinit -f enables credentials that can be used across database links. Run the following commands on the Oracle client:

% okinit -f

Password for krbuser@SOMECO.COM:password

Utilities for the Kerberos Authentication Adapter

Three utilities are shipped with the Oracle Kerberos authentication adapter. These utilities are intended for use on an Oracle client with Oracle Kerberos authentication support installed.

Use okinit to obtain an initial ticket.

Use oklist to display credentials

Use okdstry to remove credentials from the credentials cache.

Note:

Solaris is shipped with Kerberos version 4. Ensure that the Kerberos version 5 utilities are in the path so that the version 4 utilities are not used inadvertently.

Use okinit to Obtain the Initial Ticket

The okinit utility obtains and caches Kerberos tickets. This utility is typically used to obtain the ticket-granting ticket, using a password entered by the user to decrypt the credential from the key distribution center (KDC). The ticket-granting ticket is then stored in the user's credential cache.

Ask for a forwardable ticket-granting ticket. This option is necessary to follow database links.

-l

Specify the lifetime of the ticket-granting ticket and all subsequent tickets. By default, the ticket-granting ticket is good for eight (8) hours, but shorter or longer-lived credentials may be desired. Note that the KDC can ignore this option or put site-configured limits on what can be specified. The lifetime value is a string that consists of a number qualified by w (weeks), d (days), h (hours), m (months), or s (seconds), as in the following example:

okinit -l 2wld6h20m30s

The example requests a ticket-granting ticket that has a life time of 2 weeks, 1 day, 6 hours, 20 minutes, and 30 seconds.

-c

Specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KERBEROS5_CC_NAME parameter in the sqlnet.ora file.

-?

List command line options.

Use OKLIST to Display Credentials

Run the oklist utility to display the list of tickets held; available oklist options are listed in Table 6-2:

Table 6-2 Options for the oklist Utility

Option

Description

-f

Show flags with credentials. Relevant flags are I, credential is a ticket-granting ticket, F, credential is forwardable, and f, credential is forwarded.

-c

Specify an alternative credential cache. In UNIX, the default is /tmp/krb5cc_uid. The alternate credential cache can also be specified by using the SQLNET.KERBEROS5_CC_NAME parameter in the sqlnet.ora file.

-k

List the entries in the service table (default /etc/v5srvtab) on UNIX. The alternate service table can also be specified by using the SQLNET.KERBEROS5_KEYTAB parameter in the sqlnet.ora file.

The show flag option (-f) displays additional information, as shown in the following example:

Use OKDSTRY to Remove Credentials from the Cache File

Use the okdstry utility to remove credentials from the credentials cache file:

$ okdstry -f

where the -f command option lets you specify an alternative credential cache. For UNIX, the default is /tmp/krb5cc_uid. You can also specify the alternate credential cache by using the SQLNET.KRB5_CC_NAME parameter in the sqlnet.ora file.

Connecting to an Oracle Database Server Authenticated by Kerberos

You can now connect to an Oracle database server without using a user name or password. Enter a command similar to the following: